The threat group that breached F5 is moving quickly from vulnerable network appliances to "vCenter servers and ESXi hypervisors hosting virtualized systems," The Stack can reveal.
It has also been seen using new malware dubbed "Junction" to pull data "out of ESXi guest VMs via VSOCK sockets."
That’s according to a private advisory that the network security company is sharing with customers, in the wake of a “long-term” breach that it first disclosed on October 15.
F5 is not sharing the 33-page threat hunting report publicly.
But The Stack has independently obtained a copy – which reveals the means by which the attackers are targeting VMware environments "for persistence and to evade security tools."
CISA has called for “immediate emergency action” in the wake of the incident, saying the threat group “presents an imminent threat to federal networks using F5 devices and software.”
A short note for readers: The Stack turns five next month. We hope we’ve earned your trust in that time. We’re now paywalling more of our reports, as your support stops us plunging into the abyss that so many other publications have. It’s £250 a year to subscribe, or £25 a month. We reinvest every last penny of our subscriptions back into our reporting. Thanks for your support.
Nasdaq-listed F5 Inc. serves over 22,000 customers. It had its systems compromised for over a year, sources say – and multiple undisclosed vulnerabilities in its BIG-IP suite stolen.
